Campaigning for the 4Cast Awards is in full swing; I think I got three emails about it last week! The link to vote is here.
FORENSIC ANALYSIS
- Oleg Skulkin and Igor Mikhaylov at Cyber Forensicator take a look at the artefacts created by a couple of desktop apps for cloud storage providers.
- Oleg and Igor also have a post on Digital Forensics Corp on the various pieces of equipment to consider when building a digital forensics lab.
Creating a digital forensic laboratory: Tips and Tricks - Alexis Brignoni at Initialization Vectors had a couple of posts this week
- The first is a quick post of the hardware and software that he uses for testing purposes.
Android – Mobile testing hardware and software - The second shows his examination of the Firefox Focus Privacy browser Android app, and how you can find remnants of the sites that the user accessed by examining the local storage.
Local Storage – Firefox Focus Privacy Browser Artifacts in Android
- The first is a quick post of the hardware and software that he uses for testing purposes.
- SalvationData show how to rebuild a RAID configuration using their DRS system.
[Case Study] Computer Forensics: Struggling to reconstruct RAID 5? Try With Our Easy Solutions! - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ provide a brief overview of the scripts created by Jacky Fox as part of her Master dissertation on “extraction and correlation of Windows registry artifacts.”
Some useful scripts for extraction and correlation of forensic artifacts in Windows Registry
THREAT INTELLIGENCE/HUNTING
- Hacker Hurricane shared out “a sample WinLogBeat.yml file for ELK and Humio users to collect the right stuff and provide an example of how to exclude various events to collect less noise and make your log management experience easier.”
Sample WinLogBeat.yml file for ELK and Humio users - Swelcher have released a Volatility wrapper script that allows for incorporating additional information such as plugin name and IP address into a SEIM, specifically Graylog.
From Volatility to Graylog
UPCOMING WEBINARS/CONFERENCES
- ACE Lab will be hosting a one day “ACE Lab Tech Conference” on June 8, 2018 at the Tropicana Las Vegas.
ACE Lab Tech Conference “Exploring the Latest Data Recovery Trends & Developments”
PRESENTATIONS/PODCASTS
- There were a couple of videos posted from Black Hat 2017.
- John Strand at Black Hills Information Security explains how to use threat intelligence.
WEBCAST: How to Use Threat Intelligence - Dave and Matthew hosted Lee Whitfield on the Forensic Lunch this week to talk about the 4cast awards and who they’re voting for. Also the second time I’ve heard that my site has encouraged people to write more, which I’m taking as an achievement. Thanks for the kind words 🙂
Forensic Lunch: 4/20/18 - Magnet Forensics shared Cesar Quezada’s recent webinar on Mobile app parsing.
Recorded Webinar: Mobile App Parsing- All About that Data - On this week’s Digital Forensic Survival Podcast, Michael reviewed Alan Orlikoski’s CYLR and CDQR tools.
DFSP # 113 – Dead Simple Timelines - SANS shared a number of presentations this week
MALWARE
- Paul Burbage and Mike Mimoso at Flashpoint provide some details on the ARS VBS Loader.
RAT Gone Rogue: Meet ARS VBS Loader - There were a couple of posts on the Malwarebytes Labs blog
- Jérôme Segura comments on some recent changes to the Magnitude EK, and it’s distribution of GandCrab
Magnitude exploit kit switches to GandCrab ransomware - Hasherezade examines a sample of the PBot adware.
PBot: a Python-based adware
- Jérôme Segura comments on some recent changes to the Magnitude EK, and it’s distribution of GandCrab
- Mikhail Sosonkin has a guest post on Patrick Wardle’s Objective-See blog regarding reversing the Apple screencapture utility, as well as some malware identified as “MAC.OSX.Backdoor.KitM.A”.
Who Moved My Pixels?! - Josh Grunzweig, Brandon Levene, Kyle Wilhoit and Pat Litke at Palo Alto Networks analyse a sample of a new malware family they’re identifying as “SquirtDanger”.
SquirtDanger: The Swiss Army Knife Malware from Veteran Malware Author TheBottle - Vishal Thakur at Salesforce Engineering examines a new VBS dropper, named Schneiken.
Malware Analysis: New Trojan Double Dropper - There were a few posts on the SANS Internet Storm Center Handler DIaries this week
- Didier Stevens shows how you can use his metatool.py script to check “if a URL was generated by Metasploit”
Metasploit’s Payload UUID, (Sun, Apr 15th) - Didier also shows how to examine the “property values of VBA forms” using oledump, and has created a <video https://isc.sans.edu/diary/rss/23577> about the sample.
A malicious word document with a VBA form, (Mon, Apr 16th) - Johannes Ullrich identifies some of the actions that attackers are performing after exploiting the recent Drupal vulnerability.
A Review of Recent Drupal Attacks (CVE-2018-7600), (Tue, Apr 17th) - Xavier Mertens shares some information about some webshells that incorporate “a console mode that you can use to execute commands on the victim host”
Webshell looking for interesting files, (Wed, Apr 18th) - Brad Duncan examines some malspam “pushing GlobeImposter ransomware”
Malspam pushing ransomware using two layers of password protection to avoid detection, (Fri, Apr 20th)
- Didier Stevens shows how you can use his metatool.py script to check “if a URL was generated by Metasploit”
- Suguru Ishimaru at Securelist examines an Android APK that contains ‘Android Trojan-Banker’.
Roaming Mantis uses DNS hijacking to infect Android smartphones - Jonas Zaddach and Mariano Graziano at Cisco’s Talos blog describe some of the recent updates to the BASS framework.
Updates for BASS - There were a few posts on the TrendLabs blog this week
- Fernando Mercês examines some malware targeting routers by a hacking group from Brazil.
Not Only Botnets: Hacking Group in Brazil Targets IoT Devices With Malware - Don Ladores and Angelo Deveraturda reverse XiaoBa, which is “a sophisticated file infector with cryptocurrency mining and worm capabilities”.
Ransomware XIAOBA Repurposed as File Infector and Cryptocurrency Miner - Abraham Camba and Janus Agcaoili walk through the infection chain of a spam campaign that distributes a variety of different malware including jRAT, XTRAT, Loki, and Dunihi.
XTRAT and DUNIHI Backdoors Bundled with Adwind in Spam Mails - Lorin Wu examines the XLoader Android malware.
XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing
- Fernando Mercês examines some malware targeting routers by a hacking group from Brazil.
- Nikolaos Pantazopoulos at NCC Group shares details of Gh0st RAT, “which appeared to be linked with a well-known group named Iron Tiger”
Decoding network data from a Gh0st RAT variant - Zerophage Malware shares an infection chain of the Rig EK dropping Smoke Loader
Rig EK via Malvertising drops Smoke Loader - Alex Caithness at CCL discusses some of the considerations in the changing digital evidence landscape with regards to cloud storage, data synchronisation, and IoT devices.
Digital Evidence does not exist in a vacuum
MISCELLANEOUS
- Duncan Slater at Foregenix takes a “look at bridging the gap between the initial point of intrusion and instigation of an effective incident response plan.”
Reducing the Impact of a Breach Through Early Detection (Part 2) – Incident Response vs Incident Readiness - Brett Shavers at DFIR.Training comments on the need to have a plan before commencing your examination.
Know what you want to do before you push that button - There were a few posts on Forensic Focus this week
- Scar shares her picks of digital forensics news for the month.
Digital Forensics News April 2018 - Scar also provided an overview of the upcoming Techno Security & Digital Forensics conference (which I’ll be attending, so say hi if you’re there!)
Techno Security & Digital Forensics 2018 – Myrtle Beach 3rd-6th June - Tim Alcock “provides a brief background to the application of ISO/IEC 17025 together with an overview of the new standard, highlighting the major changes.” I think that this article could be improved by talking specifically about digital forensics labs, as it’s very generic.
Changes To Forensic Laboratory Accreditation Requirements – ISO/IEC 17025
- Scar shares her picks of digital forensics news for the month.
- Adam at Hexacorn talks about a process examination application called XueTR/PCHunter.
Kernel hacking tool you might have never heard of – XueTR/PCHunter - Magnet Forensics announced their partnership with the Child Rescue Coalition (CRC) in the US, and Jad Saliba shared his thoughts on the partnership.
Furthering our Mission with Child Rescue Coalition: An Interview with Jad Saliba - The MISP project share details of “a new feature for MISP that allows users to build full blown events that extend an existing event, giving way to a combined event view that includes a sum total of the event along with all extending events.”
Introducing The New Extended Events Feature in MISP - John Patzakis, Esq. at X1 Discovery shares a case study where screenshots of a Facebook post were presented as evidence, and weren’t accepted by the court.
Commonwealth vs. Mangel: Print Screen for Social Media Disallowed Again - NIST released version 1 of their Windows Registry Forensic Tool Test Assertions and Test Plan for public comment.
Windows Registry Forensic Tool Test Assertions and Test Plan - Scar de Courcier provides an overview of the next book that she’s working on, “aimed at people who want to get into the industry”.
First Steps In Digital Forensics – What Would You Like To See?
SOFTWARE UPDATES
- Profiler 2.9.1 was released with a number of new features and bug fixes.
Profiler 2.9 - Didier Stevens updated a few of his tools during the week
- There was an update to the X-Ways Viewer component to fix some bugs.
Viewer Component - ExifTool 10.94 (development) was released with new tags and bug fixes
ExifTool 10.94 - GetData released Forensic Explorer v4.3.5.7300 with a few bug fixes, as well as “File Vault decryption (with password) support.”
18 Apr 2018 – 4.3.5.7300 - SalvationData released SPF V3.71.6.0, incorporating their recent WhatsApp tool, as well as enhancements, and bug fixes.
[Software Update] Mobile Forensics SPF V3.71.6.0 WhatsApp Database Extraction & Decryption Is Now Available!
And that’s all for Week 16! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 